Roundcube Webmail - Remote Code Execution
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
16 days 15 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
References:
- https://nvd.nist.gov/vuln/detail/CVE-2025-49113
- https://fearsoff.org/research/roundcube
- https://github.com/advisories/GHSA-8j8w-wwqc-x596
- http://www.openwall.com/lists/oss-security/2025/06/02/3
- https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
- https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d
- https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695
- https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e